儲存庫 vbox 的更動 44084
- 時間撮記:
- 2012-12-10 下午04:40:47 (12 年 以前)
- 位置:
- trunk/src/libs/libxml2-2.6.31
- 檔案:
-
- 修改 2 筆資料
-
entities.c (修改) (7 筆差異)
-
parser.c (修改) (25 筆差異)
圖例:
- 未更動
- 新增
- 刪除
-
trunk/src/libs/libxml2-2.6.31/entities.c
r39921 r44084 473 473 */ 474 474 #define growBufferReentrant() { \ 475 buffer_size *= 2;\476 buffer = (xmlChar *)\477 xmlRealloc(buffer, buffer_size * sizeof(xmlChar));\478 if (buffer == NULL) {\479 xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\480 return(NULL); \481 }\475 xmlChar *tmp; \ 476 size_t new_size = buffer_size * 2; \ 477 if (new_size < buffer_size) goto mem_error; \ 478 tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ 479 if (tmp == NULL) goto mem_error; \ 480 buffer = tmp; \ 481 buffer_size = new_size; \ 482 482 } 483 483 … … 500 500 xmlChar *buffer = NULL; 501 501 xmlChar *out = NULL; 502 int buffer_size = 0;502 size_t buffer_size = 0; 503 503 int html = 0; 504 504 … … 519 519 520 520 while (*cur != '\0') { 521 if (out - buffer > buffer_size - 100) {522 int indx = out - buffer; 521 size_t indx = out - buffer; 522 if (indx + 100 > buffer_size) { 523 523 524 524 growBufferReentrant(); … … 637 637 *out++ = 0; 638 638 return(buffer); 639 640 mem_error: 641 xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed"); 642 xmlFree(buffer); 643 return(NULL); 639 644 } 640 645 … … 654 659 xmlChar *buffer = NULL; 655 660 xmlChar *out = NULL; 656 int buffer_size = 0;661 size_t buffer_size = 0; 657 662 if (input == NULL) return(NULL); 658 663 … … 669 674 670 675 while (*cur != '\0') { 671 if (out - buffer > buffer_size - 10) {672 int indx = out - buffer; 676 size_t indx = out - buffer; 677 if (indx + 10 > buffer_size) { 673 678 674 679 growBufferReentrant(); … … 719 724 *out++ = 0; 720 725 return(buffer); 726 727 mem_error: 728 xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed"); 729 xmlFree(buffer); 730 return(NULL); 721 731 } 722 732 -
trunk/src/libs/libxml2-2.6.31/parser.c
r39921 r44084 41 41 42 42 #include <stdlib.h> 43 #include <limits.h> 43 44 #include <string.h> 44 45 #include <stdarg.h> … … 110 111 */ 111 112 static int 112 xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned longsize,113 xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, 113 114 xmlEntityPtr ent) 114 115 { 115 unsigned longconsumed = 0;116 size_t consumed = 0; 116 117 117 118 if (ctxt == NULL) … … 2270 2271 #define growBuffer(buffer, n) { \ 2271 2272 xmlChar *tmp; \ 2272 buffer##_size *= 2; \ 2273 buffer##_size += n; \ 2274 tmp = (xmlChar *) \ 2275 xmlRealloc(buffer, buffer##_size * sizeof(xmlChar)); \ 2273 size_t new_size = buffer##_size * 2 + n; \ 2274 if (new_size < buffer##_size) goto mem_error; \ 2275 tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ 2276 2276 if (tmp == NULL) goto mem_error; \ 2277 2277 buffer = tmp; \ 2278 buffer##_size = new_size; \ 2278 2279 } 2279 2280 … … 2301 2302 int what, xmlChar end, xmlChar end2, xmlChar end3) { 2302 2303 xmlChar *buffer = NULL; 2303 int buffer_size = 0; 2304 size_t buffer_size = 0; 2305 size_t nbchars = 0; 2304 2306 2305 2307 xmlChar *current = NULL; … … 2307 2309 xmlEntityPtr ent; 2308 2310 int c,l; 2309 int nbchars = 0;2310 2311 2311 2312 if ((ctxt == NULL) || (str == NULL) || (len < 0)) … … 2322 2323 */ 2323 2324 buffer_size = XML_PARSER_BIG_BUFFER_SIZE; 2324 buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar));2325 buffer = (xmlChar *) xmlMallocAtomic(buffer_size); 2325 2326 if (buffer == NULL) goto mem_error; 2326 2327 … … 2342 2343 COPY_BUF(0,buffer,nbchars,val); 2343 2344 } 2344 if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {2345 if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { 2345 2346 growBuffer(buffer, XML_PARSER_BUFFER_SIZE); 2346 2347 } … … 2359 2360 if (ent->content != NULL) { 2360 2361 COPY_BUF(0,buffer,nbchars,ent->content[0]); 2361 if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {2362 if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { 2362 2363 growBuffer(buffer, XML_PARSER_BUFFER_SIZE); 2363 2364 } … … 2377 2378 while (*current != 0) { /* non input consuming loop */ 2378 2379 buffer[nbchars++] = *current++; 2379 if (nbchars > 2380 buffer_size - XML_PARSER_BUFFER_SIZE) { 2380 if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { 2381 2381 if (xmlParserEntityCheck(ctxt, nbchars, ent)) { 2382 2382 xmlFree(rep); … … 2393 2393 2394 2394 buffer[nbchars++] = '&'; 2395 if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) {2395 if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) { 2396 2396 growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE); 2397 2397 } … … 2420 2420 while (*current != 0) { /* non input consuming loop */ 2421 2421 buffer[nbchars++] = *current++; 2422 if (nbchars > 2423 buffer_size - XML_PARSER_BUFFER_SIZE) { 2422 if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { 2424 2423 if (xmlParserEntityCheck(ctxt, nbchars, ent)) { 2425 2424 xmlFree(rep); … … 2435 2434 COPY_BUF(l,buffer,nbchars,c); 2436 2435 str += l; 2437 if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {2438 growBuffer(buffer, XML_PARSER_BUFFER_SIZE);2436 if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { 2437 growBuffer(buffer, XML_PARSER_BUFFER_SIZE); 2439 2438 } 2440 2439 } … … 3195 3194 xmlChar limit = 0; 3196 3195 xmlChar *buf = NULL; 3197 int len = 0;3198 int buf_size = 0;3196 size_t len = 0; 3197 size_t buf_size = 0; 3199 3198 int c, l, in_space = 0; 3200 3199 xmlChar *current = NULL; … … 3218 3217 */ 3219 3218 buf_size = XML_PARSER_BUFFER_SIZE; 3220 buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar));3219 buf = (xmlChar *) xmlMallocAtomic(buf_size); 3221 3220 if (buf == NULL) goto mem_error; 3222 3221 … … 3235 3234 if (val == '&') { 3236 3235 if (ctxt->replaceEntities) { 3237 if (len > buf_size - 10) {3236 if (len + 10 > buf_size) { 3238 3237 growBuffer(buf, 10); 3239 3238 } … … 3244 3243 * called by the attribute() function in SAX.c 3245 3244 */ 3246 if (len > buf_size - 10) {3245 if (len + 10 > buf_size) { 3247 3246 growBuffer(buf, 10); 3248 3247 } … … 3254 3253 } 3255 3254 } else { 3256 if (len > buf_size - 10) {3255 if (len + 10 > buf_size) { 3257 3256 growBuffer(buf, 10); 3258 3257 } … … 3266 3265 if ((ent != NULL) && 3267 3266 (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { 3268 if (len > buf_size - 10) {3267 if (len + 10 > buf_size) { 3269 3268 growBuffer(buf, 10); 3270 3269 } … … 3291 3290 while (*current != 0) { /* non input consuming */ 3292 3291 buf[len++] = *current++; 3293 if (len > buf_size - 10) {3292 if (len + 10 > buf_size) { 3294 3293 growBuffer(buf, 10); 3295 3294 } … … 3298 3297 } 3299 3298 } else { 3300 if (len > buf_size - 10) {3299 if (len + 10 > buf_size) { 3301 3300 growBuffer(buf, 10); 3302 3301 } … … 3325 3324 */ 3326 3325 buf[len++] = '&'; 3327 while (len > buf_size - i - 10) {3326 while (len + i + 10 > buf_size) { 3328 3327 growBuffer(buf, i + 10); 3329 3328 } … … 3338 3337 if ((!normalize) || (!in_space)) { 3339 3338 COPY_BUF(l,buf,len,0x20); 3340 if (len > buf_size - 10) {3339 if (len + 10 > buf_size) { 3341 3340 growBuffer(buf, 10); 3342 3341 } … … 3347 3346 in_space = 0; 3348 3347 COPY_BUF(l,buf,len,c); 3349 if (len > buf_size - 10) {3348 if (len + 10 > buf_size) { 3350 3349 growBuffer(buf, 10); 3351 3350 } … … 3357 3356 } 3358 3357 if ((in_space) && (normalize)) { 3359 while ( buf[len - 1] == 0x20) len--;3358 while ((len > 0) && (buf[len - 1] == 0x20)) len--; 3360 3359 } 3361 3360 buf[len] = 0; … … 3372 3371 } else 3373 3372 NEXT; 3374 if (attlen != NULL) *attlen = len; 3373 3374 /* 3375 * There we potentially risk an overflow, don't allow attribute value of 3376 * lenght more than INT_MAX it is a very reasonnable assumption ! 3377 */ 3378 if (len >= INT_MAX) { 3379 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 3380 "AttValue lenght too long\n"); 3381 goto mem_error; 3382 } 3383 3384 if (attlen != NULL) *attlen = (int) len; 3375 3385 return(buf); 3376 3386
注意:
瀏覽 TracChangeset
來幫助您使用更動檢視器
